This example shows how to use the XACML-JSON PDP API in the context of a peer recognition program.
The example company, AnyCompany, has an internal peer recognition program. The peer recognition program allows employees to recognize each other by awarding each other points. The points can be spent in different categories. Each category requires a minimum number of points for the category to become available. When an employee spends enough points in a category, a related product becomes unlocked in an online catalog that the employee can purchase. AnyCompany has implemented a web application where employees spend their points, view their available catalog, and purchase products.
In this example, the web application that implements the online catalog can make the following XACML-JSON request when an employee spends their points. The request includes three decision requests.
{
"Request":{
"MultiRequests":{
"RequestReference":[
{
"ReferenceId":[
"domain-1",
"action-1",
"service-1",
"idp-1",
"attributes-1"
]
},
{
"ReferenceId":[
"domain-1",
"action-2",
"service-2",
"idp-1",
"attributes-2"
]
},
{
"ReferenceId":[
"domain-1",
"action-1",
"service-3",
"idp-1",
"attributes-1"
]
}
]
},
"AccessSubject":[
{
"Id":"domain-1",
"Attribute":[
{
"AttributeId":"domain",
"Value":"AnyCompany.Management"
}
]
}
],
"Action":[
{
"Id":"action-1",
"Attribute":[
{
"AttributeId":"action",
"Value":"Update"
}
]
},
{
"Id":"action-2",
"Attribute":[
{
"AttributeId":"action",
"Value":"Retrieve"
}
]
}
],
"Resource":[
{
"Id":"service-1",
"Attribute":[
{
"AttributeId":"service",
"Value":"Peer Recognition.Point allocation"
}
]
},
{
"Id":"service-2",
"Attribute":[
{
"AttributeId":"service",
"Value":"Peer Recognition.Points unspent"
}
]
},
{
"Id":"service-3",
"Attribute":[
{
"AttributeId":"service",
"Value":"Peer Recognition.Products"
}
]
}
],
"Category":[
{
"Id":"attributes-1",
"Attribute":[
{
"AttributeId":"attribute:User input.User Id",
"Value":"self"
},
{
"AttributeId":"attribute:User input.Entertainment",
"Value":8
},
{
"AttributeId":"attribute:User input.Travel",
"Value":5
},
{
"AttributeId":"attribute:User input.Academics",
"Value":6
},
{
"AttributeId":"attribute:User input.Electronics",
"Value":5
},
{
"AttributeId":"attribute:User input.Sports",
"Value":5
},
{
"AttributeId":"attribute:User input.Food",
"Value":7
},
{
"AttributeId":"attribute:User input.Music",
"Value":4
}
]
},
{
"Id":"attributes-2",
"Attribute":[
{
"AttributeId":"attribute:User input.User Id",
"Value":"self"
}
]
}
],
"Environment":[
{
"Id":"idp-1",
"Attribute":[
{
"AttributeId":"symphonic-idp",
"Value":"AnyCompany SSO"
}
]
}
]
}
}
RequestReference
JSON
array. Each JSON object in the array contains a single field, ReferenceId
.
Each ReferenceId
field contains an array of Id
references
that represent the content of the decision request. The following tables highlight the key
components of each decision request.For brevity, only one Trust Framework attribute is listed in each decision request.
Parent (JSON Path) | Field (JSON Path) | PingAuthorize Trust Framework type | Example value |
---|---|---|---|
$.Request.AccessSubject[*] |
$.Attribute[?(@.AttributeId == "domain")].Value |
Domain | AnyCompany.Management |
$.Request.Action[*] |
$.Attribute[?(@.AttributeId == "action")].Value |
Action | Update |
$.Request.Resource[*] |
$.Attribute[?(@.AttributeId == "service")].Value |
Service | Peer Recognition.Point allocation |
$.Request.Environment[*] |
$.Attribute[?(@.AttributeId == "symphonic-idp")].Value |
Identity Provider | AnyCompany SSO |
$.Request.Category[*] |
$.Attribute[?(@.AttributeId == "attribute:User
input.Entertainment")] |
Attribute | 8 |
Parent (JSON Path) | Field (JSON Path) | PingAuthorize Trust Framework type | Example value |
---|---|---|---|
$.Request.AccessSubject[*] |
$.Attribute[?(@.AttributeId == "domain")].Value |
Domain | AnyCompany.Management |
$.Request.Action[*] |
$.Attribute[?(@.AttributeId == "action")].Value |
Action | Retrieve |
$.Request.Resource[*] |
$.Attribute[?(@.AttributeId == "service")].Value |
Service | Peer Recognition.Points unspent |
$.Request.Environment[*] |
$.Attribute[?(@.AttributeId == "symphonic-idp")].Value |
Identity Provider | AnyCompany SSO |
$.Request.Category[*] |
$.Attribute[?(@.AttributeId == "attribute:User input.User Id")] |
Attribute | self |
Parent (JSON Path) | Field (JSON Path) | PingAuthorize Trust Framework type | Example value |
---|---|---|---|
$.Request.AccessSubject[*] |
$.Attribute[?(@.AttributeId == "domain")].Value |
Domain | AnyCompany.Management |
$.Request.Action[*] |
$.Attribute[?(@.AttributeId == "action")].Value |
Action | Retrieve |
$.Request.Resource[*] |
$.Attribute[?(@.AttributeId == "service")].Value |
Service | Peer Recognition.Products |
$.Request.Environment[*] |
$.Attribute[?(@.AttributeId == "symphonic-idp")].Value |
Identity Provider | AnyCompany SSO |
$.Request.Category[*] |
$.Attribute[?(@.AttributeId == "attribute:User input.Travel")] |
Attribute | 5 |
The following is an example response to the previous example request.
The XACML-JSON response contains the decision responses for each of the three decision requests. The order of the decision responses corresponds to the order of the decision requests. In the first decision response, the system policy does not detect any problems and permits the employee to change her point allocation. In the second decision response, the system policy allows the employee to view her own unspent points and indicates that the value is now 0. In the third decision response, the system permits the retrieval of the employee's own product catalog and indicates which of the products should be unlocked for purchase.
Given the response, the web application can now render the content for the three decision requests. It renders the 0 unspent points and all catalog products, with purchase buttons disabled where appropriate.
{
"Response": [
{
"Decision": "Permit",
"Obligations": [],
"AssociatedAdvice": []
}, {
"Decision": "Permit",
"Obligations": [],
"AssociatedAdvice": [{
"Id": "remaining-points",
"AttributeAssignments": [{
"AttributeId": "payload",
"Value": "0"
}]
}]
}, {
"Decision": "Permit",
"Obligations": [],
"AssociatedAdvice": [{
"Id": "catalog",
"AttributeAssignments": [{
"AttributeId": "attribute:Derived.Product availability.Trip to exotic country",
"Value": "false"
}, {
"AttributeId": "attribute:Derived.Product availability.Super Bowl tickets",
"Value": "false"
}, {
"AttributeId": "attribute:Derived.Product availability.Movie theater gift card",
"Value": "true"
}, {
"AttributeId": "attribute:Derived.Product availability.Encyclopedia subscription",
"Value": "false"
}, {
"AttributeId": "attribute:Derived.Product availability.Dinner at 5-star restaurant",
"Value": "true"
}, {
"AttributeId": "attribute:Derived.Product availability.Expensive laptop",
"Value": "false"
}, {
"AttributeId": "payload",
"Value": "2020-03-17T16:21:20.175132-05:00"
}]
}]
}]
}